Q60 — AWS SAP-C02 Ch.3
Question 60 of 75 | ← Chapter 3
Q285. A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. The transit gateway uses its default route table for any VPC attachment. A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company's other VPCs.A solutions architect needs to limit the traffic between the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs. What should the solutions architect do to meet these requirements?
- A. Update the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. Remove all deny rules except the default deny rule.
- B. Update all the security groups that are used within a VPC to deny outbound traffic to security groups that are used within the unauthorized VPCs.
- C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs. ✓
- D. Update the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway.
Correct Answer: C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.
Explanation
By creating a separate route table for each VPC attachment, each VPC can be configured to route traffic only to the authorized VPCs. The default route table associated with the transit gateway can remain unchanged, and additional route tables can be created as needed for specific routing requirements. Option A involves updating the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. This option may not be the most effective solution since this requires modifying the rules for each subnet. It also may not provide sufficient control over the traffic between VPCs. Option B involves updating all the security groups used within a VPC to deny outbound traffic to unauthorized security groups. This approach may be effective for controlling traffic between instances within the same VPC but is not designed to limit traffic between VPCs. Option D involves updating the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway. However, this option may not be suitable for complex networking environments, especially if there are multiple VPCs involved.